diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 0fed81d1..6e0cecc7 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -4202,207 +4202,6 @@ struct ssl_st { int tlsext_status_type; }; -typedef struct ssl3_record_st { - /* type is the record type. */ - uint8_t type; - /* length is the number of unconsumed bytes in the record. */ - uint16_t length; - /* data is a non-owning pointer to the first unconsumed byte of the record. */ - uint8_t *data; -} SSL3_RECORD; - -typedef struct ssl3_buffer_st { - /* buf is the memory allocated for this buffer. */ - uint8_t *buf; - /* offset is the offset into |buf| which the buffer contents start at. */ - uint16_t offset; - /* len is the length of the buffer contents from |buf| + |offset|. */ - uint16_t len; - /* cap is how much memory beyond |buf| + |offset| is available. */ - uint16_t cap; -} SSL3_BUFFER; - -/* An ssl_shutdown_t describes the shutdown state of one end of the connection, - * whether it is alive or has been shutdown via close_notify or fatal alert. */ -enum ssl_shutdown_t { - ssl_shutdown_none = 0, - ssl_shutdown_close_notify = 1, - ssl_shutdown_fatal_alert = 2, -}; - -typedef struct ssl3_state_st { - uint8_t read_sequence[8]; - uint8_t write_sequence[8]; - - uint8_t server_random[SSL3_RANDOM_SIZE]; - uint8_t client_random[SSL3_RANDOM_SIZE]; - - /* have_version is true if the connection's final version is known. Otherwise - * the version has not been negotiated yet. */ - unsigned have_version:1; - - /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled - * and future messages should use the record layer. */ - unsigned v2_hello_done:1; - - /* initial_handshake_complete is true if the initial handshake has - * completed. */ - unsigned initial_handshake_complete:1; - - /* read_buffer holds data from the transport to be processed. */ - SSL3_BUFFER read_buffer; - /* write_buffer holds data to be written to the transport. */ - SSL3_BUFFER write_buffer; - - SSL3_RECORD rrec; /* each decoded record goes in here */ - - /* partial write - check the numbers match */ - unsigned int wnum; /* number of bytes sent so far */ - int wpend_tot; /* number bytes written */ - int wpend_type; - int wpend_ret; /* number of bytes submitted */ - const uint8_t *wpend_buf; - - /* handshake_buffer, if non-NULL, contains the handshake transcript. */ - BUF_MEM *handshake_buffer; - /* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake - * hash. For TLS 1.1 and below, it is the SHA-1 half. */ - EVP_MD_CTX handshake_hash; - /* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of - * the handshake hash for TLS 1.1 and below. */ - EVP_MD_CTX handshake_md5; - - /* recv_shutdown is the shutdown state for the receive half of the - * connection. */ - enum ssl_shutdown_t recv_shutdown; - - /* recv_shutdown is the shutdown state for the send half of the connection. */ - enum ssl_shutdown_t send_shutdown; - - int alert_dispatch; - uint8_t send_alert[2]; - - int total_renegotiations; - - /* empty_record_count is the number of consecutive empty records received. */ - uint8_t empty_record_count; - - /* warning_alert_count is the number of consecutive warning alerts - * received. */ - uint8_t warning_alert_count; - - /* key_update_count is the number of consecutive KeyUpdates received. */ - uint8_t key_update_count; - - /* aead_read_ctx is the current read cipher state. */ - SSL_AEAD_CTX *aead_read_ctx; - - /* aead_write_ctx is the current write cipher state. */ - SSL_AEAD_CTX *aead_write_ctx; - - /* enc_method is the method table corresponding to the current protocol - * version. */ - const SSL3_ENC_METHOD *enc_method; - - /* pending_message is the current outgoing handshake message. */ - uint8_t *pending_message; - uint32_t pending_message_len; - - /* hs is the handshake state for the current handshake or NULL if there isn't - * one. */ - SSL_HANDSHAKE *hs; - - uint8_t write_traffic_secret[EVP_MAX_MD_SIZE]; - uint8_t write_traffic_secret_len; - uint8_t read_traffic_secret[EVP_MAX_MD_SIZE]; - uint8_t read_traffic_secret_len; - uint8_t exporter_secret[EVP_MAX_MD_SIZE]; - uint8_t exporter_secret_len; - - /* State pertaining to the pending handshake. - * - * TODO(davidben): Move everything not needed after the handshake completes to - * |hs| and remove this. */ - struct { - int message_type; - - /* used to hold the new cipher we are going to use */ - const SSL_CIPHER *new_cipher; - - /* used when SSL_ST_FLUSH_DATA is entered */ - int next_state; - - int reuse_message; - - uint8_t *key_block; - uint8_t key_block_length; - - uint8_t new_mac_secret_len; - uint8_t new_key_len; - uint8_t new_fixed_iv_len; - - /* extended_master_secret indicates whether the extended master secret - * computation is used in this handshake. Note that this is different from - * whether it was used for the current session. If this is a resumption - * handshake then EMS might be negotiated in the client and server hello - * messages, but it doesn't matter if the session that's being resumed - * didn't use it to create the master secret initially. */ - char extended_master_secret; - - /* peer_signature_algorithm is the signature algorithm used to authenticate - * the peer, or zero if not applicable. */ - uint16_t peer_signature_algorithm; - } tmp; - - /* new_session is the new mutable session being established by the current - * handshake. It should not be cached. */ - SSL_SESSION *new_session; - - /* established_session is the session established by the connection. This - * session is only filled upon the completion of the handshake and is - * immutable. */ - SSL_SESSION *established_session; - - /* session_reused indicates whether a session was resumed. */ - unsigned session_reused:1; - - /* Connection binding to prevent renegotiation attacks */ - uint8_t previous_client_finished[12]; - uint8_t previous_client_finished_len; - uint8_t previous_server_finished[12]; - uint8_t previous_server_finished_len; - int send_connection_binding; - - /* Next protocol negotiation. For the client, this is the protocol that we - * sent in NextProtocol and is set when handling ServerHello extensions. - * - * For a server, this is the client's selected_protocol from NextProtocol and - * is set when handling the NextProtocol message, before the Finished - * message. */ - uint8_t *next_proto_negotiated; - size_t next_proto_negotiated_len; - - /* ALPN information - * (we are in the process of transitioning from NPN to ALPN.) */ - - /* In a server these point to the selected ALPN protocol after the - * ClientHello has been processed. In a client these contain the protocol - * that the server selected once the ServerHello has been processed. */ - uint8_t *alpn_selected; - size_t alpn_selected_len; - - /* In a client, this means that the server supported Channel ID and that a - * Channel ID was sent. In a server it means that we echoed support for - * Channel IDs and that tlsext_channel_id will be valid after the - * handshake. */ - char tlsext_channel_id_valid; - /* For a server: - * If |tlsext_channel_id_valid| is true, then this contains the - * verified Channel ID from the client: a P256 point, (x,y), where - * each are big-endian values. */ - uint8_t tlsext_channel_id[64]; -} SSL3_STATE; - /* Nodejs compatibility section (hidden). * diff --git a/ssl/internal.h b/ssl/internal.h index 36f04421..debc5d43 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -1262,6 +1262,207 @@ struct ssl3_enc_method { int (*final_finish_mac)(SSL *ssl, int from_server, uint8_t *out); }; +typedef struct ssl3_record_st { + /* type is the record type. */ + uint8_t type; + /* length is the number of unconsumed bytes in the record. */ + uint16_t length; + /* data is a non-owning pointer to the first unconsumed byte of the record. */ + uint8_t *data; +} SSL3_RECORD; + +typedef struct ssl3_buffer_st { + /* buf is the memory allocated for this buffer. */ + uint8_t *buf; + /* offset is the offset into |buf| which the buffer contents start at. */ + uint16_t offset; + /* len is the length of the buffer contents from |buf| + |offset|. */ + uint16_t len; + /* cap is how much memory beyond |buf| + |offset| is available. */ + uint16_t cap; +} SSL3_BUFFER; + +/* An ssl_shutdown_t describes the shutdown state of one end of the connection, + * whether it is alive or has been shutdown via close_notify or fatal alert. */ +enum ssl_shutdown_t { + ssl_shutdown_none = 0, + ssl_shutdown_close_notify = 1, + ssl_shutdown_fatal_alert = 2, +}; + +typedef struct ssl3_state_st { + uint8_t read_sequence[8]; + uint8_t write_sequence[8]; + + uint8_t server_random[SSL3_RANDOM_SIZE]; + uint8_t client_random[SSL3_RANDOM_SIZE]; + + /* have_version is true if the connection's final version is known. Otherwise + * the version has not been negotiated yet. */ + unsigned have_version:1; + + /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled + * and future messages should use the record layer. */ + unsigned v2_hello_done:1; + + /* initial_handshake_complete is true if the initial handshake has + * completed. */ + unsigned initial_handshake_complete:1; + + /* read_buffer holds data from the transport to be processed. */ + SSL3_BUFFER read_buffer; + /* write_buffer holds data to be written to the transport. */ + SSL3_BUFFER write_buffer; + + SSL3_RECORD rrec; /* each decoded record goes in here */ + + /* partial write - check the numbers match */ + unsigned int wnum; /* number of bytes sent so far */ + int wpend_tot; /* number bytes written */ + int wpend_type; + int wpend_ret; /* number of bytes submitted */ + const uint8_t *wpend_buf; + + /* handshake_buffer, if non-NULL, contains the handshake transcript. */ + BUF_MEM *handshake_buffer; + /* handshake_hash, if initialized with an |EVP_MD|, maintains the handshake + * hash. For TLS 1.1 and below, it is the SHA-1 half. */ + EVP_MD_CTX handshake_hash; + /* handshake_md5, if initialized with an |EVP_MD|, maintains the MD5 half of + * the handshake hash for TLS 1.1 and below. */ + EVP_MD_CTX handshake_md5; + + /* recv_shutdown is the shutdown state for the receive half of the + * connection. */ + enum ssl_shutdown_t recv_shutdown; + + /* recv_shutdown is the shutdown state for the send half of the connection. */ + enum ssl_shutdown_t send_shutdown; + + int alert_dispatch; + uint8_t send_alert[2]; + + int total_renegotiations; + + /* empty_record_count is the number of consecutive empty records received. */ + uint8_t empty_record_count; + + /* warning_alert_count is the number of consecutive warning alerts + * received. */ + uint8_t warning_alert_count; + + /* key_update_count is the number of consecutive KeyUpdates received. */ + uint8_t key_update_count; + + /* aead_read_ctx is the current read cipher state. */ + SSL_AEAD_CTX *aead_read_ctx; + + /* aead_write_ctx is the current write cipher state. */ + SSL_AEAD_CTX *aead_write_ctx; + + /* enc_method is the method table corresponding to the current protocol + * version. */ + const SSL3_ENC_METHOD *enc_method; + + /* pending_message is the current outgoing handshake message. */ + uint8_t *pending_message; + uint32_t pending_message_len; + + /* hs is the handshake state for the current handshake or NULL if there isn't + * one. */ + SSL_HANDSHAKE *hs; + + uint8_t write_traffic_secret[EVP_MAX_MD_SIZE]; + uint8_t write_traffic_secret_len; + uint8_t read_traffic_secret[EVP_MAX_MD_SIZE]; + uint8_t read_traffic_secret_len; + uint8_t exporter_secret[EVP_MAX_MD_SIZE]; + uint8_t exporter_secret_len; + + /* State pertaining to the pending handshake. + * + * TODO(davidben): Move everything not needed after the handshake completes to + * |hs| and remove this. */ + struct { + int message_type; + + /* used to hold the new cipher we are going to use */ + const SSL_CIPHER *new_cipher; + + /* used when SSL_ST_FLUSH_DATA is entered */ + int next_state; + + int reuse_message; + + uint8_t *key_block; + uint8_t key_block_length; + + uint8_t new_mac_secret_len; + uint8_t new_key_len; + uint8_t new_fixed_iv_len; + + /* extended_master_secret indicates whether the extended master secret + * computation is used in this handshake. Note that this is different from + * whether it was used for the current session. If this is a resumption + * handshake then EMS might be negotiated in the client and server hello + * messages, but it doesn't matter if the session that's being resumed + * didn't use it to create the master secret initially. */ + char extended_master_secret; + + /* peer_signature_algorithm is the signature algorithm used to authenticate + * the peer, or zero if not applicable. */ + uint16_t peer_signature_algorithm; + } tmp; + + /* new_session is the new mutable session being established by the current + * handshake. It should not be cached. */ + SSL_SESSION *new_session; + + /* established_session is the session established by the connection. This + * session is only filled upon the completion of the handshake and is + * immutable. */ + SSL_SESSION *established_session; + + /* session_reused indicates whether a session was resumed. */ + unsigned session_reused:1; + + /* Connection binding to prevent renegotiation attacks */ + uint8_t previous_client_finished[12]; + uint8_t previous_client_finished_len; + uint8_t previous_server_finished[12]; + uint8_t previous_server_finished_len; + int send_connection_binding; + + /* Next protocol negotiation. For the client, this is the protocol that we + * sent in NextProtocol and is set when handling ServerHello extensions. + * + * For a server, this is the client's selected_protocol from NextProtocol and + * is set when handling the NextProtocol message, before the Finished + * message. */ + uint8_t *next_proto_negotiated; + size_t next_proto_negotiated_len; + + /* ALPN information + * (we are in the process of transitioning from NPN to ALPN.) */ + + /* In a server these point to the selected ALPN protocol after the + * ClientHello has been processed. In a client these contain the protocol + * that the server selected once the ServerHello has been processed. */ + uint8_t *alpn_selected; + size_t alpn_selected_len; + + /* In a client, this means that the server supported Channel ID and that a + * Channel ID was sent. In a server it means that we echoed support for + * Channel IDs and that tlsext_channel_id will be valid after the + * handshake. */ + char tlsext_channel_id_valid; + /* For a server: + * If |tlsext_channel_id_valid| is true, then this contains the + * verified Channel ID from the client: a P256 point, (x,y), where + * each are big-endian values. */ + uint8_t tlsext_channel_id[64]; +} SSL3_STATE; + /* lengths of messages */ #define DTLS1_COOKIE_LENGTH 256